The Fining Policy was1 published
on 14 October 2019 by the German Data Protection Authority
(Datenschutzbehörde). The authority agreed with this policy a
new way of calculating administrative fines imposed on data
breaches in accordance with GDPR2.
The penalties to be paid when data breaches occur are determined
under this policy. The enterprise making the data breach is obliged
to pay the fine determined according to the annual turnover and the
quality of the data breach.
First of all, it is necessary to examine the Dutch Fining
Policy, which was published on 14 March 2019 as the first example
of the fining policy for data breaches; The Dutch Data Protection
Authority (the Dutch Authority) has established a four-stage fine
bandwidths model for data breaches. The Dutch Authority foresees a
basic fine for each data breach, but within of the quality,
specific characteristics and other circumstances of the breach, it
may increase or decrease this basic fine within the bandwidths. The
Dutch Authority may impose higher penalties than the band intervals
if it considers it "not appropriate" for the specified
penalty. In this case, it is regulated in the policy that the
punishment imposed under GDPR3 can
authorize each individual case to be "effective, proportionate
and dissuasive."
Similar to the Dutch Authority, the German Data Protection
Authority categorized administrative fines under the GDPR in its
policy. By issuing this policy, the German Authority has developed
a company-oriented fines system different from the Dutch Authority,
ensuring transparency in penalties and penalties based on the value
of each company.
Unlike the Dutch Authority, the German Authority has developed a
five-step system of fines for GDPR violations. With these five-step
method, it is aimed to impose fines on a case-by-case basis and
transparency.
The german Policy has developed a system that is not included in
the Dutch Policy, companies are classified as; micro, small,
medium-sized enterprises (SMEs) or large-scale companies.4
In accordance with the policy, companies are included in one of
the four groups as the first step and secondly, the average annual
turnover is determined. In the third step, the German Authority
determines the "daily rate" by dividing 360 days the
calculated annual turnover. In the fourth step, the infringement of
the quality of the case and the damage caused by the data
infringement under GDPR; minor, avarage, severe and very severe
infringements. The authority creates a "fine corridor" by
calculating the severity of the infrigment with the daily rate
determined in the previous step. In the last step, by assessing the
quality of the data breach offense and the data subject affected
and the consequences within the scope of the GDPR, the Authority
may change the fine according to the nature, scope and purpose of
the illegal processing, the number of data subjects involved, the
degree of data subject to the transaction, and the degree to which
other subjects are exposed.5
Although there are similarities in the Dutch and German fining
policies, the main differences are great. As can be seen, the focus
point of the Dutch Monetary Criminal Policy is the type of data
breach and the nature of the case. Accordingly, the band spacing is
drawn up or down completely in line with the nature of the
violation. This policy primarily aims to impose a fine in
accordance with the substantive elements. It has not introduced any
regulations regarding companies that have committed data breaches.
In addition, the German fine policy is also focused on companies
that perform data breach cases. It is based not only on the nature
of the data breach but also on the size of the Company that has
committed the breach.
With the new system introduced by the German Fining Policy, the
amount of fines for GDPR infrigments increases. The company
classifications defined in the policy are based solely on the
turnover of the companies, and it is seen that there is no
classification regarding the activity fields of the companies.
Basically, the fines calculated on the annual turnover of the
companies have great risks for the companies. With the policy, it
is planned that the fines to be given to the companies in each case
will be transparent, proportionate and dissuasive.
Are you a controller of personal data under the General Data Protection Regulation ("GDPR") who uses a cloud services provider ("CSP"), or are you a CSP who acts as a processor to a controller customer
As part of Reed Smith's webinar series on crisis management, on Wednesday 6 November 2019, partners Tom Webley, Philip Thomas and John M. McIntyre delivered a webinar to clients on data breaches, cyber attacks, ...
Your website or App will often be the first impression that a customer, supplier or investor has of your business.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”